dstiles - 7:55 pm on May 13, 2013 (gmt 0)
Agree with keyplr - verisign are certainly not above suspicion. As a DNS provider they once tried to send all hits on unassigned IPs to their own advertising service. And in the recent past (maybe even now) they refused any mail from services outside the US unless we registered with them - it was easier to put a warning on web site contact forms! :)
In any case, was it actually from verisign or merely from a verisign-owned IP (server or DSL)?
I have a "honeypot" display:none link on most of my sites and find almost no-one, bot or human, falls in. The big SEs used to for a while but they seemed to learn.
How did they find your test site? One way is to scan DNS for A records. There is no way of blocking this as far as I know, so anyone can find your site if they really want to, especially if they already have an inkling based on the same domain name.
Robots.txt is only ever applicable to serious SEs as a suggestion and only then sometimes (witness G's web preview). The only real way of stopping unwanted access is through blocking IPs, UAs and other bad headers. If it's a test site then block everything except your own IP (easy enough for those of us with fixed or long-term IPs, annoying for those (eg in UK) whose IP changes daily.
And I don't need to tell you (but I will remind you anyway!): if the bot is not welcome then block it. :)